Fresh rawhide install / AVC messages

Wed Mar 10 10:20:40 UTC 2004

On Wed, 10 Mar 2004 19:19, Dax Kelson <dax at gurulabs.com> wrote:
> I have made no custom changes to my box at this point.

OK.

> > I have attached a first cut at cpuspeed policy, it won't work but if you
> > try it out I'll get more information and be able to write more policy. 
> > What is the full path name for this scaling_governor file?
>
> /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
>
> Tomorrow I'll see if I can try it out.

I guess we'll need something like:
allow cpuspeed_t sysfs_t:dir search;
allow cpuspeed_t sysfs_t:file rw_file_perms;

> > > scontext=system_u:system_r:dhcpc_t
> > > tcontext=system_u:object_r:ntpd_etc_t tclass=file
> > > audit(1078849148.797:0): avc:  denied  { getattr } for pid=1161
> > > exe=/bin/bash path=/tmp dev=hda8 ino=588673
> >
> > This is a problem.  Is this standard functionality of the dhcp client or
> > have you written your own scripts?
>
> This is standard behavior on RHL8.0 and above if the DHCP server sends the
> 'time-server' options. I don't know off hand if it is RH specific or stock
> dhclient.

Regardless of whether it's RH specific or standard dhclient it's something 
that has to be supported.

> > The problem we face is that the dhcp client as a standard function will
> > replace /etc/resolv.conf.  The /etc/resolv.conf file is given the type
> > resolv_conf_t because so many programs want to re-write it.
> >
> > Now we can give the ntpd config file the same type.  But in that case we
> > will probably want to rename it to net_conf_t or something.
> >
> > This is all conditional on this being standard functionality of the dhcp
> > client.  If it's your customisation then you can just change ntpd.fc to
> > label the file as resolv_conf_t.  Although I suspect that if this is a
> > customisation of yours it'll become a standard thing soon enough, it
> > sounds like a good idea!
>
> net_conf_t sounds good. I'd imagine we are going to encouter other cases
> besides resolv.conf and ntp.conf.

What else might we have?

net_conf_t doesn't seem ideal to me, but I can't think of anything better at 
the moment.

Also one other thing to note is that /etc/yp.conf has the same type, this may 
not be what we want.

> > > tclass=dir audit(1078849148.798:0): avc:  denied  { search } for 
> > > pid=1161 exe=/bin/bash name=tmp dev=hda8 ino=588673
> > > scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t
> > > tclass=dir audit(1078849148.798:0): avc:  denied  { write } for 
> > > pid=1161 exe=/bin/bash name=tmp dev=hda8 ino=588673
> > > scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t
> > > tclass=dir audit(1078849148.798:0): avc:  denied  { add_name } for
> > > pid=1161 exe=/bin/bash name=sh-thd-1078853309
> >
> > What is this for?  The following is the policy needed to address that. 
> > If it's a standard thing then I'll put it in my policy tree.
> >
> > tmp_domain(dhcpc)
>
> I don't know, what's it doing? :)
>
> It is a standard thing as I've made no custom changes.

OK, I've added the tmp_domain() rule to my tree.

> > > audit(1078849246.286:0): avc:  denied  { create } for  pid=4526
> > > exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t
> > > tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0):
> > > avc:  denied  { unix_read unix_write } for  pid=4526
> > > exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t
> > > tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0):
> > > avc:  denied  { read write } for  pid=4526 exe=/usr/bin/python key=0
> > > scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
> > > tclass=shm
> >
> > Any idea what this program is?
>
> Maybe it is firstboot.

I'll have to do some tests with that.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page